I'm not making any argument for or against CF. I'm saying that equating the size of a bounty program to the perceived level of dedication to security or code quality of a company is a straw man argument.
If you offer less than $50 for something someone else in the market (albeit for a likely unethical purpose) is willing to pay $10k for, what do you expect people to do?
It isn't a strawman to state economic incentives matter. Or do you genuinely believe people everyone experienced in security will take the $50 because of "ethics"?
It isn't a strawman to state economic incentives matter. Or do you genuinely believe people everyone experienced in security will take the $50 because of "ethics"?